Theoretically, couldn't the client send the message to one server and the keys to a different set of servers? Clients would request the encrypted messages from one server and the keys from another?
That would imply client-side encrypted cloud backups, with external key management which isn't the case in Telegram, if it were it could be shown from client-side code. Also, even if that would be the case, it would just need combining key and ciphertext in once place which is again the weak link.
Also, there's no way the search would work as fast as it does now if key /ciphertexts would have to be transported via servers, and finally, since it's a single server that can request data (I have checked the destination IPs), anything of the sort is not happening.
"should still be possible to set up so that a single rogue sysadmin cannot get hold of messages."
I'm afraid that's not possible. When the message arrives to server and the outer layer that is in-transit encryption is stripped, what must remain is the plaintext message, or a message that the server can not decrypt. Such technology already exists, it's called end-to-end encryption. If there was a simpler way to protect from malicious servers, there wouldn't be a need for E2EE communication ;)
"See above. As long as they don't do serverside search or anything this should be possible?"
So no that wouldn't work in practice. Proper cryptographic design in secure messaging apps doesn't distinguish between entities on server who have access to keys. "Jack has one part of the key and Jill has another, but they will never collude or get hacked at the same time" is very bad security rationale.
"- X is definitely in the pocket of FSB."
Well, the problem here is, if the scenario is this "Telegram is secretly in the pocket of the FSB and they're giving access to every message on their server" I can't say "No way, it's all end-to-end encrypted they have nothing to give". I can say that for Signal, however, so I'd rather recommend it instead, and actually, because I can't say Telegram definitely isn't in the pocket of FSB, I don't think it should be used. I hope you understand this requirement of verifiability. If Telegram really wanted to lock themselves from user data, the would've implemented E2EE from the get go.
"E2E or nothing!"
Not sure what to make of this, I haven't heard anyone claim no encryption is better than weaker encryption. But wrt. message confidentiality, since there is no difference when it comes to service provider obtaining the plaintext copy, it's hard to not say "don't use it if it's not E2EE".
"- Use WhatsApp or nothing!"
Another complex problem that boils down to trusting WA has not changed source code after Moxie helped implement Signal Protocol. Like I said earlier, there's maybe a 1..2% chance of backdoor that allows WA to snoop on it's E2EE. So if for some reason one would have to compare these particular ones (IRL this is what we'd call a false dilemma), I'd say
1. Telegram secret messages for one-on-one chats
2. WhatsApp group messages
3. Telegram group messages
WhatsApp may have 1..2% chance of backdoor, but with Telegram I know there's a front door with 100% probability.
If we forget the false dilemma, suddenly Signal solves all of our woes wrt. cross-platform private one-on-one chats and group chats.
"Hey, even tptacek went as far as admitting this at some point:"
Let's not put his words "almost literally any secure messenger is better than email."
Firstly, that assumes he considers Telegram a secure messenger. Secondly, encrypted email has serious problems with deniability (which we'll ignore this time) and forward secrecy: in those respects Telegram's E2EE is better, sure, but E2EE email for group chats (Assuming the client knows how to reply individually to all, and to use each individual's PGP key to protect it) is again more private than Telegram's group chats.
I always took the claim of routing keys and messages in different jurisdiction to be about not writing them to storage in those jurisdiction, not about not having them in RAM.
the idea being that there can be an internal policy to shut down the server and wipe the ram but it is harder to do with drives.
I also have a question since you probably can answer: can E2E offer a similar user experience to what normal telegram chats offer?
" I always took the claim of routing keys and messages in different jurisdiction to be about not writing them to storage in those jurisdiction, not about not having them in RAM."
There's no precedent I'm aware of that if e.g. NL Telegram server has the key in its RAM but not in its disk, that it doesn't have to hand out the keys. Also the keys and/or plaintexts can just be stolen by foreign intelligence establishments. It's not just judicial means we need to be concerned about. E.g., just because it's legal in China to hack Telegram servers abroad, doesn't mean it's right, and Telegram should take this into account.
"the idea being that there can be an internal policy to shut down the server and wipe the ram but it is harder to do with drives."
This is pure speculation and it wouldn't matter because key lifting attacks would be transparent, i.e. the exploit is polished enough not to raise alarms.
"I also have a question since you probably can answer: can E2E offer a similar user experience to what normal telegram chats offer?"
Yes. Except channels and extremely large supergroups. But these two don't enjoy expectation of privacy. You can't expect something you say to a group of 10,000+ people to remain private, people consider such groups public.
Encrpytion is just math so there's also no way around the UX problem of authentication that's part of E2EE, but since that's expected of users, it's not a problem either.
Everything else, group chats with roles, synced chats, file transfers, locations, stickers... you name it, can be done over E2EE, just look at how Signal is showing each of those can be done. It's not trivial of course, but like you asked, "can it be done", yes, it can.
That would imply client-side encrypted cloud backups, with external key management which isn't the case in Telegram, if it were it could be shown from client-side code. Also, even if that would be the case, it would just need combining key and ciphertext in once place which is again the weak link.
Also, there's no way the search would work as fast as it does now if key /ciphertexts would have to be transported via servers, and finally, since it's a single server that can request data (I have checked the destination IPs), anything of the sort is not happening.
"should still be possible to set up so that a single rogue sysadmin cannot get hold of messages."
I'm afraid that's not possible. When the message arrives to server and the outer layer that is in-transit encryption is stripped, what must remain is the plaintext message, or a message that the server can not decrypt. Such technology already exists, it's called end-to-end encryption. If there was a simpler way to protect from malicious servers, there wouldn't be a need for E2EE communication ;)
"See above. As long as they don't do serverside search or anything this should be possible?"
So no that wouldn't work in practice. Proper cryptographic design in secure messaging apps doesn't distinguish between entities on server who have access to keys. "Jack has one part of the key and Jill has another, but they will never collude or get hacked at the same time" is very bad security rationale.
"- X is definitely in the pocket of FSB."
Well, the problem here is, if the scenario is this "Telegram is secretly in the pocket of the FSB and they're giving access to every message on their server" I can't say "No way, it's all end-to-end encrypted they have nothing to give". I can say that for Signal, however, so I'd rather recommend it instead, and actually, because I can't say Telegram definitely isn't in the pocket of FSB, I don't think it should be used. I hope you understand this requirement of verifiability. If Telegram really wanted to lock themselves from user data, the would've implemented E2EE from the get go.
"E2E or nothing!"
Not sure what to make of this, I haven't heard anyone claim no encryption is better than weaker encryption. But wrt. message confidentiality, since there is no difference when it comes to service provider obtaining the plaintext copy, it's hard to not say "don't use it if it's not E2EE".
"- Use WhatsApp or nothing!"
Another complex problem that boils down to trusting WA has not changed source code after Moxie helped implement Signal Protocol. Like I said earlier, there's maybe a 1..2% chance of backdoor that allows WA to snoop on it's E2EE. So if for some reason one would have to compare these particular ones (IRL this is what we'd call a false dilemma), I'd say
1. Telegram secret messages for one-on-one chats 2. WhatsApp group messages 3. Telegram group messages
WhatsApp may have 1..2% chance of backdoor, but with Telegram I know there's a front door with 100% probability.
If we forget the false dilemma, suddenly Signal solves all of our woes wrt. cross-platform private one-on-one chats and group chats.
"Hey, even tptacek went as far as admitting this at some point:"
Let's not put his words "almost literally any secure messenger is better than email."
Firstly, that assumes he considers Telegram a secure messenger. Secondly, encrypted email has serious problems with deniability (which we'll ignore this time) and forward secrecy: in those respects Telegram's E2EE is better, sure, but E2EE email for group chats (Assuming the client knows how to reply individually to all, and to use each individual's PGP key to protect it) is again more private than Telegram's group chats.